First beta to be released as v0

[aeneasr]

• Client: OAuth2 client implementation
• Generator: Token generator and validator
• Hash: Secure hashing implementation
• Rand: Random helpers using crypto
• Enigma: Helpers for encrypting data (and rotating keys)
• Session: (Authorize) Session management
• OAuth2 grants
  • authorize code grant (auth and token endpoint)
  • implicit grant
  • client credentials grant
  • resource owner password credentials grant
  • refresh grant
• dont allow redirects to unencrypted endpoints unless it's localhost
• Add helpers for validating scopes, expiry time and other things

[agtorre]

Is this going to use the JSONSession? I don't totally understand the use-case for this yet. Otherwise I like the separation of concerns. is the fosite.NewOAuth(config) necessary or can it requests just come directly from the config -- similar to the oauth2 client.

[aeneasr]

Yes, it is going to be JSONSession, I have to reword the readme here.

The session basically takes the AuthorizeRequest object and converts it to a session. For example, it removes they "key" part of the token and enables you to set custom data with SetExtra or Set. Custom data could be additional metadata for the request or some token or a remote identity provider identifier (dropbox, google).

You're right, it should be a good idea to "merge" NewDefaultConfig and NewOAuth similar to the oauth2 client. Good point! :)

[aeneasr]

i've added a section to the session part. does that make things clearer?

[agtorre]

The one thing to note here is that the OAuth2 errors differs from the root cause of the error. Frequently the OAuth2 error isn't very useful for debugging so there has to be some way to extract one or the other.

[aeneasr]

That's true, error handling is quite tricky. fosite uses go-errors so you can have an internal stack trace with err.(*errors.Error).ErrorStack(). Do you think that is enough?

[agtorre]

This may be enough. In practice I like to use a logger like logrus and log both the oauth2 error and the internal error in the same place which makes it easier to correlate errors reported by a user to an internal error.

[aeneasr]

ok cool, I think go-errors in combination with logrus is very powerful :)

[aeneasr]

@agtorre thanks for your continued feedback, it helps me a lot :)

[aeneasr]

HELL YEAH! Thas was intense. I pushed the library to the point where I created a working server side OAuth2 example for the authorize code grant type. Check out the awesome gif here and read how to get the example running yourself. You can also check out the example's source code.

Are you as excited as I am? A secure OAuth2 server in less than 150 chars?

Obviously, there are still a couple of things missing. I will address those soon.

[aeneasr]

implicit grant ✅

[aeneasr]

client credentials ✅

Implicit and client credentials are now both included in the examples as well

[aeneasr]

all grant types have now been implemented - but are not fully tested yet.

[aeneasr]

done 👌

next thing is going to be open id connect, but let's see what feedback people give

[rbagjani]

I need some help with implementing security using fosite library. I am unable to figure out how to use the scopes to grant the permission to different APIs based on the users.

I am able to generate tokens through client_credentials grant type. I am taking that only "fosite" can be used in the scope of appClientConfig variable but I need to figure out how to provide different grantScope(permissions) to different users.

Please help as this scenario is not covered in your example. Thanks.

[aeneasr]

Please don't dig up old issues to ask questions, especially if your question does not have to do anything with the thread you're digging up. This will ping all people involved with something that isn't even remotely related.

You can check the example implementation here, it should help you with your implementation: https://github.com/ory/fosite-example